Web SSO
- SmartRecruit
- +
- SmartConnect
Admins can quickly enable single sign-on (SSO) and allow your users to sign in with their existing login credentials.
If you are using Okta for SSO and provisioning SmartRecruiters user accounts, please follow the Okta SmartRecruiters Integration Guide instead.
Prerequisites
In order to perform a full Web SSO set up with SmartRecruiters:
- You should have an Identity Provider (IdP) set up and running and you know how to add a new Service Provider (SP) to the configuration.
- You have integrated your IdP with SmartRecruiters User API in order to sync user profile details in ongoing basis.
- You have an Admin account within SmartRecruiters to access Web SSO configuration.
Web SSO Configuration
To fully enable the SSO capability for your users, you will need to configure the Web SSO information in SmartRecruiters end and in your IdP end.
Configuring in SmartRecruiters
- Navigate to Settings / Admin.
- Select Web SSO under Configuration
- Click Edit Web SSO configuration and enable Web SSO
- Select the Signature Algorithm and Certificate.
- From your IdP metadata, copy your IdP URL and certificate onto your clipboard.
- Paste the IdP URL and certificate respectively onto the bottom half of the SmartRecruiters Web SSO configuration page.
- Save the Web SSO configuration.
Adding new Service Provider in your IdP
There are numbers of different IdPs out in the market and each requires slightly different steps to add Service Provider into its configuration. The general workflow for these IdPs, however, should remain the same as they support the SAML 2.0 standard.
The example steps below are to serve as a general guide to help you to add a new Service Provider in your IdP:
- In your IdP, locate the function or module that manages service providers
- Add a new service provide from SAML 2.0 XML metadata
- In the Web SSO configuration page in SmartRecruiters, click Download SmartRecruiters metadata
- Copy the metadata onto your clipboard
- Paste and import the metadata in your IdP configuration
- Add SmartRecruiters onto the service provider name field and save the configuration.
User Provisioning
Before your users can initiated the SSO log in, be sure to associate your users with SSO Identifier. You can do that by creating or updating users using the SmartRecruiters User API. You will need an active API credential to access the User API. See the Credential Manager guide for more detail.
- You can create a new user by making a POST call to the /users endpoint. Be sure to specify the SSO Identifier in the ssoIdentifer property in the call
- Alternatively, if the user has been created in SmartRecruiters but not though the API, you can make a PATCH call to the /users endpoint and update the user's ssoIdentifier property like in the following example:
{
"op": "add",
"path": "/ssoIdentifier",
"value": "ssoIdentifierValue"
}
After you completed the configuration in both SmartRecruiters and in your IdP and your users are associated with SSO Identifier, your user can initiate the SSO log in with the URL:
https://www.smartrecruiters.com/web-sso/saml/<CompanyIdentifier>/login
Certificate Update
The SAML certificates which SmartRecruiters uses to enable the SSO functionality have expiration dates and will eventually expire. Prior to the date which the certificates are set to expire, SmartRecruiters will add in a new set of certificates.
To ensure your users can continue to access SmartRecruiters with their existing credentials, you will need to switch to the new certificate by selecting the new certificate on the SmartRecruiters Web SSO configuration page as well as updating the service provider configuration on your IdP end. The exact steps are the same as configuring the Web SSO for the first time.
The latest sets of SmartRecruiters SAML certificates are set to expire by the end of May, 2022.